IT Examiner School - Oct 2023

Internal Use Only

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls ‐ attesting to controls based on servicer’s account of controls ‐ no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six ‐ month period • Auditor expresses an opinion based on their testing

Two types of Service Organization Control (SOC) Reports:

33

Internal Use Only

Audit Reporting/Follow-up

Similar to Safety & Soundness:

o IT Audit reporting channels  What is being reported and to whom o Senior Management Responses  Are they reasonable and corrective timeframe is appropriate o Exception Tracking  Show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)

34